[cryptography] Asynchronous forward secrecy encryption

Michael Rogers michael at briarproject.org
Wed Sep 18 10:49:46 EDT 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 18/09/13 08:23, ianG wrote:
> If I compromise your first shared secret, does that mean every
> shared secret thereafter is compromised?

Yes. (Improvements are possible here, by sending and acking fresh key
material inside the encrypted envelopes, but that requires two-way
communication, so in the one-way case we'd always be vulnerable to the
initial secret being compromised.)

> How do you coordinate between endpoints for the rotation?  Is it 
> strictly time-based?  Or is there some sense of "searching the
> space" by hashing forward multiple rotations until the message
> decrypts?

It's strictly time-based. The rotation period is based on the maximum
latency of the communication channel and the maximum difference
between the endpoints' clocks, such that if the sender thinks it's
rotation period p at the time of sending, the recipient will think
it's no earlier than period p-1 and no later than period p+1 at the
time of receipt.

If the endpoints have very inaccurate clocks, you get longer rotation
periods but the protocol still works - as long as the endpoints know
roughly how inaccurate their clocks might be.

> Ah, but does it consider the pâté attack?  ;)

Is that a type of meat-in-the-middle attack?

Cheers,
Michael

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJSOb2KAAoJEBEET9GfxSfMae8IAMR0HxXQYUwIgJrQ5byQnIdO
/z8frXW4qhBKtyt+zimpS1N0qBxg5hbQKoSYqSsIq/Et80/Lmjivnv/bHrVvfCeI
RX0aFVvZi3BXthuYqr8x/AAbYun9y/jGAz6UoIDyXXA9oljom//e5AqZK3p9o9sg
eWDltbuc4R5QBMEeMvbL7MM5PxrpSEVGfh0KzQZFn/MOCg6pjDuXWnfWWajf1Eg0
FZvaGNKu9DmNU9hxI8MOZePmiTy9S/Bjayp6Syt1cJTKKT9lT8IQJwRb1tERf/Go
DqrdZBUZmsR1CIlzy9eS2XSUD4hyBqfp+Y2hjWanzsA1JWx7XrcDxxy5jTRJ3+c=
=R1L+
-----END PGP SIGNATURE-----


More information about the cryptography mailing list